The following configuration protects a debian head end from defined threats. This is based on this script. Dependencies are ipset and iprange.
/usr/local/sbin/updatethreatblock.sh
#!/usr/bin/env bash # # usage updatethreatblock.sh <configuration file> # eg: updatethreatblock.sh /etc/ipset-threatblock/ipset-threatblock.conf # function exists() { command -v "$1" >/dev/null 2>&1 ; } if [[ -z "$1" ]]; then echo "Error: please specify a configuration file, e.g. $0 /etc/ipset-threatblock/ipset-threatblock.conf" exit 1 fi # shellcheck source=ipset-threatblock.conf if ! source "$1"; then echo "Error: can't load configuration file $1" exit 1 fi if ! exists curl && exists egrep && exists grep && exists ipset && exists iptables && exists sed && exists sort && exists wc ; then echo >&2 "Error: searching PATH fails to find executables among: curl egrep grep ipset iptables sed sort wc" exit 1 fi DO_OPTIMIZE_CIDR=no if exists iprange && [[ ${OPTIMIZE_CIDR:-yes} != no ]]; then DO_OPTIMIZE_CIDR=yes fi if [[ ! -d $(dirname "$IP_BLACKLIST") || ! -d $(dirname "$IP_BLACKLIST_RESTORE") ]]; then echo >&2 "Error: missing directory(s): $(dirname "$IP_BLACKLIST" "$IP_BLACKLIST_RESTORE"|sort -u)" exit 1 fi if [ -f "$IP_BLACKLIST_EXCEPTIONS" ]; then EXCEPTIONS_TMP=$(mktemp) for exception in $(sed -r -e 's/\s*#.*$//;/^$/d;/^(0.0.0.0|10.|127.|172.1[6-9].|172.2[0-9].|172.3[0-1].|192.168.|22[4-9].|23[0-9].)/d' "$IP_BLACKLIST_EXCEPTIONS") do exception_array+=( "$exception" ) echo $exception >> $EXCEPTIONS_TMP done fi # create the ipset if needed (or abort if does not exists and FORCE=no) if ! ipset list -n|command grep -q "$IPSET_BLACKLIST_NAME"; then if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: ipset does not exist yet, add it using:" echo >&2 "# ipset create $IPSET_BLACKLIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536}" exit 1 fi if ! ipset create "$IPSET_BLACKLIST_NAME" -exist hash:net family inet hashsize "${HASHSIZE:-16384}" maxelem "${MAXELEM:-65536}"; then echo >&2 "Error: while creating the initial ipset" exit 1 fi fi # create the iptables binding if needed (or abort if does not exists and FORCE=no) if ! iptables -nvL INPUT|command grep -q "match-set $IPSET_BLACKLIST_NAME"; then # we may also have assumed that INPUT rule n°1 is about packets statistics (traffic monitoring) if [[ ${FORCE:-no} != yes ]]; then echo >&2 "Error: iptables does not have the needed ipset INPUT rule, add it using:" echo >&2 "# iptables -I INPUT ${IPTABLES_IPSET_RULE_NUMBER:-1} -m set --match-set $IPSET_BLACKLIST_NAME src -j DROP" exit 1 fi if ! iptables -I INPUT "${IPTABLES_IPSET_RULE_NUMBER:-1}" -m set --match-set "$IPSET_BLACKLIST_NAME" src -j DROP; then echo >&2 "Error: while adding the --match-set ipset rule to iptables" exit 1 fi fi IP_BLACKLIST_TMP=$(mktemp) for i in "${BLACKLISTS[@]}" do IP_TMP=$(mktemp) (( HTTP_RC=$(curl -L -A "blacklist-update/script/github" --connect-timeout 10 --max-time 10 -o "$IP_TMP" -s -w "%{http_code}" "$i") )) if (( HTTP_RC == 200 || HTTP_RC == 302 || HTTP_RC == 0 )); then # "0" because file:/// returns 000 command grep -Po '^(?:\d{1,3}\.){3}\d{1,3}(?:/\d{1,2})?' "$IP_TMP" | sed -r 's/^0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)\.0*([0-9]+)$/\1.\2.\3.\4/' >> "$IP_BLACKLIST_TMP" [[ ${VERBOSE:-yes} == yes ]] && echo -n "." elif (( HTTP_RC == 503 )); then echo -e "\\nUnavailable (${HTTP_RC}): $i" else echo >&2 -e "\\nWarning: curl returned HTTP response code $HTTP_RC for URL $i" fi rm -f "$IP_TMP" done # sort -nu does not work as expected sed -r -e '/^(0\.0\.0\.0|10\.|127\.|172\.1[6-9]\.|172\.2[0-9]\.|172\.3[0-1]\.|192\.168\.|22[4-9]\.|23[0-9]\.)/d' "$IP_BLACKLIST_TMP"|sort -n|sort -mu >| "$IP_BLACKLIST" if [[ ${DO_OPTIMIZE_CIDR} == yes ]]; then if [[ ${VERBOSE:-no} == yes ]]; then echo -e "\\nAddresses before CIDR optimization: $(wc -l "$IP_BLACKLIST" | cut -d' ' -f1)" fi < "$IP_BLACKLIST" iprange --optimize - > "$IP_BLACKLIST_TMP" 2>/dev/null if [[ ${#exception_array[@]} > 0 ]]; then echo "Allowing for ${#exception_array[@]} exclusions from blacklist" echo "Addresses before removing exclusions: $(wc -l "$IP_BLACKLIST_TMP" | cut -d' ' -f1)" IP_BLACKLIST_WITH_EXCEPT_TMP=$(mktemp) iprange "$IP_BLACKLIST_TMP" --except "$EXCEPTIONS_TMP" > "$IP_BLACKLIST_WITH_EXCEPT_TMP" 2>/dev/null cp "$IP_BLACKLIST_WITH_EXCEPT_TMP" "$IP_BLACKLIST_TMP" fi if [[ ${VERBOSE:-no} == yes ]]; then echo "Addresses after CIDR optimization: $(wc -l "$IP_BLACKLIST_TMP" | cut -d' ' -f1)" fi cp "$IP_BLACKLIST_TMP" "$IP_BLACKLIST" fi rm -f "$IP_BLACKLIST_TMP" # family = inet for IPv4 only cat >| "$IP_BLACKLIST_RESTORE" <<EOF create $IPSET_TMP_BLACKLIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536} create $IPSET_BLACKLIST_NAME -exist hash:net family inet hashsize ${HASHSIZE:-16384} maxelem ${MAXELEM:-65536} EOF # can be IPv4 including netmask notation # IPv6 ? -e "s/^([0-9a-f:./]+).*/add $IPSET_TMP_BLACKLIST_NAME \1/p" \ IPv6 sed -rn -e '/^#|^$/d' \ -e "s/^([0-9./]+).*/add $IPSET_TMP_BLACKLIST_NAME \\1/p" "$IP_BLACKLIST" >> "$IP_BLACKLIST_RESTORE" cat >> "$IP_BLACKLIST_RESTORE" <<EOF swap $IPSET_BLACKLIST_NAME $IPSET_TMP_BLACKLIST_NAME destroy $IPSET_TMP_BLACKLIST_NAME EOF ipset -file "$IP_BLACKLIST_RESTORE" restore if [[ ${VERBOSE:-no} == yes ]]; then echo echo "Threatblock addresses found: $(wc -l "$IP_BLACKLIST" | cut -d' ' -f1)" fi
/usr/local/sbin/startubl.sh
#!/bin/bash PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin cd /usr/local/sbin date > /var/log/threatblock/tb-`date +%d%H`.run /usr/local/sbin/updatethreatblock.sh /etc/ipset-threatblock/ipset-threatblock.conf date >> /var/log/threatblock/tb-`date +%d%H`.run
/usr/local/sbin/rebootubl.sh
#!/bin/bash # Threat intelligence /sbin/ipset restore < /etc/ipset-threatblock/ip-threatblock.restore /sbin/iptables -I INPUT 1 -i enp4s0f1 -m set --match-set threatblock src -j DROP -m comment --comment "threat intel" /sbin/iptables -I FORWARD 1 -i enp4s0f1 -m set --match-set threatblock src -j DROP -m comment --comment "threat intel" /sbin/iptables -I FORWARD 1 -o enp4s0f1 -m set --match-set threatblock src -j DROP -m comment --comment "threat intel"
crontab
# # m h dom mon dow command @reboot sleep 180 && /usr/local/sbin/rebootubl.sh @daily /usr/local/sbin/startubl.sh
/etc/ipset-threatblock/ipset-threatblock.conf
IPSET_BLACKLIST_NAME=threatblock # change it if it collides with a pre-existing ipset list IPSET_TMP_BLACKLIST_NAME=${IPSET_BLACKLIST_NAME}-tmp # ensure the directory for IP_BLACKLIST/IP_BLACKLIST_RESTORE exists (it won't be created automatically) IP_BLACKLIST_RESTORE=/etc/ipset-threatblock/ip-threatblock.restore IP_BLACKLIST=/etc/ipset-threatblock/ip-threatblock.list IP_BLACKLIST_EXCEPTIONS=/etc/ipset-threatblock/threatblock.exceptions VERBOSE=yes # probably set to "no" for cron jobs, default to yes FORCE=yes # will create the ipset-iptable binding if it does not already exist let IPTABLES_IPSET_RULE_NUMBER=1 # if FORCE is yes, the number at which place insert the ipset-match rule (default to 1) # Sample (!) list of URLs for IP blacklists. Currently, only IPv4 is supported in this script, everything else will be filtered. BLACKLISTS=( "file:///etc/ipset-blacklist/ip-threatblock-custom.list" # optional, for your personal nemeses (no typo, plural) "https://www.projecthoneypot.org/list_of_ips.php?t=d&rss=1" # Project Honey Pot Directory of Dictionary Attacker IPs "https://check.torproject.org/cgi-bin/TorBulkExitList.py?ip=1.1.1.1" # TOR Exit Nodes "http://danger.rulez.sk/projects/bruteforceblocker/blist.php" # BruteForceBlocker IP List "https://www.spamhaus.org/drop/drop.lasso" # Spamhaus Don't Route Or Peer List (DROP) "https://cinsscore.com/list/ci-badguys.txt" # C.I. Army Malicious IP List "https://lists.blocklist.de/lists/all.txt" # blocklist.de attackers "https://blocklist.greensnow.co/greensnow.txt" # GreenSnow "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset" # Firehol Level 1 "https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/stopforumspam_7d.ipset" # Stopforumspam via Firehol "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_shadowserver.txt" # Shadow server "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_shodan.txt" # Shodan "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_sogou.txt" # Sogou search engine "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_evil.txt" # Hostile IPs "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_internet_cens.txt" # Internet census "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_diverseenvironment.txt" # Diverse environment "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_netsysres.txt" # Net Systems Research "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_rwth-aachen.txt" # AAChen "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_onyphe.txt" # onephe "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_stretchoid.txt" # Strechoid "https://gitlab.com/ohisee/block-shodan-stretchoid-census/raw/master/pf_table_openportsstats.txt" # OpenPortStats # "http://ipverse.net/ipblocks/data/countries/xx.zone" # Ban an entire country, see http://ipverse.net/ipblocks/data/countries/ ) MAXELEM=131072
/etc/ipset-threatblock/ip-threatblock-custom.list
104.152.52.0/24 # Proxylogon attacking IPs via Bluehexagon 86.105.18.116 89.34.111.11 182.18.152.105 103.77.192.219 104.140.114.110 104.248.49.97 104.250.191.110 108.61.246.56 149.28.14.163 157.230.221.198 161.35.1.207 161.35.1.225 165.232.154.116 167.99.168.251 167.99.239.29 185.250.151.72 192.81.208.169 203.160.69.66 211.56.98.146 5.2.69.14 5.254.43.18 80.92.205.81 91.192.103.43 104.248.49.97 13.231.174.2 161.35.45.41 194.87.69.35 45.155.205.225 45.76.110.29 45.77.252.175 112.66.255.71 139.59.56.239 161.35.51.41 161.35.76.1 188.166.162.201 77.61.36.169 161.129.64.124 46.30.188.60 139.162.123.108 194.68.44.19 172.105.18.72 77.83.159.15 185.125.231.175 185.224.83.137 107.173.83.123 201.162.109.184 68.2.82.62 182.215.181.200 45.15.9.45 141.164.40.193 172.105.87.139
/etc/ipset-threatblock/threatblock.exceptions
13.107.42.2 13.107.42.11 23.227.38.65 100.64.0.0/10
This article was originally published over on LinkedIn: Protecting a debian head end
Comments
Post a Comment